Getting error Regular Expression Threat Detected i...

majjik98 · 03-14-2023 03:27 PM

We are getting regular threat protection error 500 internal in response side.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RegularExpressionProtection async="false" continueOnError="false" enabled="true" name="SEC-REP-PayloadInjectionScan">
<DisplayName>SEC-REP-PayloadInjectionScan</DisplayName>
<Properties/>
<Source>message</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<JSONPayload>
<JSONPath>
<Expression>$.</Expression>

<Pattern ignoreCase="true">\b(ALTER( +TABLE){1,1}|CREATE( +TABLE| +INDEX| +DB| +DATABASE| +VIEW){1,1}|(DELETE[*\s+]+FROM)|DROP( +TABLE| +INDEX| +DB| +DATABASE){1,1}|TRUNCATE( +TABLE){1,1}|EXECUTE\s?([a-z]|[A-Z])+(;){1,1}|SQL INCLUDE\s[+]\s([(]+[a-z]|[a-z])+[)]|MERGE\s?([a-z]|[A-Z])+\s?(AS)\s?([a-z]|[A-Z])+(;)|INSERT( +INTO){1,1}|((SELECT)(\s+[\S,\s]+\s+))(FROM)|(UPDATE)(\s+[\S,\s]+\s)(SET)\s*( +ALL){0,1})</Pattern>

<Pattern ignoreCase="true">\b(((echo\s([a-z]|[A-Z])+[=]){1,1})|(exec\s([a-z]|[A-Z])+[=])|(config\s([a-z]|[A-Z])+[=])|(include\s([a-z]|[A-Z])+[=])|(cpt\s([a-z]|[A-Z]+[=]))|(cookie\s([a-z]|[A-Z])+[=])|(printenv)\b)</Pattern>
</JSONPath>
</JSONPayload>
</RegularExpressionProtection>

could you please let us know what is the issue and how to resolve it?

@anilsr

Thanks,

Mk

apickelsimer

What error did you receive? Since the policy is configured using JSONPath, it is expecting a JSON payload in the body of the message. If a valid JSON payload is not present, then the policy will fail to parse the body and throw a fault.

API-Evangelist

You can just to self resolution by testing the response payload by testing any regular expression tool. With out much information provided it is hard to resolve what pattern is matching and causing threat detection.

https://regexr.com/

Getting error Regular Expression Threat Detected in SEC-REP-PayloadInjectionScan.policy